##
-@@ -86,23 +101,39 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +101,40 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
@@ -81687,6 +81687,7 @@ index fae1ab1..0a5271f 100644
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
++files_read_inherited_tmp_files(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
@@ -81697,7 +81698,7 @@ index fae1ab1..0a5271f 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
-@@ -113,8 +144,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +145,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -81711,7 +81712,7 @@ index fae1ab1..0a5271f 100644
')
optional_policy(`
-@@ -125,6 +161,8 @@ optional_policy(`
+@@ -125,6 +162,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -81720,7 +81721,7 @@ index fae1ab1..0a5271f 100644
')
########################################
-@@ -143,8 +181,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,8 +182,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -81735,7 +81736,7 @@ index fae1ab1..0a5271f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +201,263 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +202,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -81848,6 +81849,10 @@ index fae1ab1..0a5271f 100644
+')
+
+optional_policy(`
++ rpcbind_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ sysnet_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -82145,7 +82150,7 @@ index c19518a..145c899 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..beea868 100644
+index ff006ea..5e933f1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -83008,7 +83013,32 @@ index ff006ea..beea868 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4202,7 +4737,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4155,6 +4690,24 @@ interface(`files_setattr_all_tmp_dirs',`
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
++#######################################
++##
++## List all tmp directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
+ ########################################
+ ##
+ ## List all tmp directories.
+@@ -4202,7 +4755,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -83017,7 +83047,7 @@ index ff006ea..beea868 100644
##
##
#
-@@ -4262,7 +4797,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4815,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -83026,7 +83056,7 @@ index ff006ea..beea868 100644
##
##
#
-@@ -4318,7 +4853,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4871,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -83035,7 +83065,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4342,6 +4877,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4895,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -83052,7 +83082,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4681,7 +5226,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5244,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -83061,7 +83091,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -4914,6 +5459,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5477,24 @@ interface(`files_list_var',`
########################################
##
@@ -83086,7 +83116,7 @@ index ff006ea..beea868 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5084,7 +5647,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5665,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -83095,7 +83125,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5219,7 +5782,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5800,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83104,7 +83134,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5259,6 +5822,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5840,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -83130,7 +83160,7 @@ index ff006ea..beea868 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5886,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5904,25 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -83156,7 +83186,7 @@ index ff006ea..beea868 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5317,6 +5918,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5936,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -83165,7 +83195,7 @@ index ff006ea..beea868 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5939,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5957,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -83181,7 +83211,7 @@ index ff006ea..beea868 100644
##
##
##
-@@ -5349,12 +5954,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5972,30 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -83214,7 +83244,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5373,6 +5996,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +6014,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -83222,7 +83252,7 @@ index ff006ea..beea868 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +6009,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +6027,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
##
##
@@ -83230,7 +83260,7 @@ index ff006ea..beea868 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +6035,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +6053,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -83239,7 +83269,7 @@ index ff006ea..beea868 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +6051,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6069,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -83256,7 +83286,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5452,7 +6075,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6093,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -83265,7 +83295,7 @@ index ff006ea..beea868 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6116,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6134,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -83274,7 +83304,7 @@ index ff006ea..beea868 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6138,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6156,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -83283,7 +83313,7 @@ index ff006ea..beea868 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6170,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6188,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -83294,7 +83324,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5608,6 +6231,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6249,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -83338,7 +83368,7 @@ index ff006ea..beea868 100644
########################################
##
## Do not audit attempts to search
-@@ -5629,27 +6289,46 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,8 +6307,27 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -83346,54 +83376,29 @@ index ff006ea..beea868 100644
-## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read generic process ID files.
--##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_list_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Read generic process ID files.
-+##
++## List the contents of the runtime process
++## ID directories (/var/run).
+ ##
##
##
- ## Domain allowed access.
-@@ -5736,7 +6415,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6433,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83402,7 +83407,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5815,6 +6494,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6512,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -83519,7 +83524,7 @@ index ff006ea..beea868 100644
## Read all process ID files.
##
##
-@@ -5832,6 +6621,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6639,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -83582,7 +83587,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -5900,6 +6745,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6763,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
##
@@ -83673,7 +83678,7 @@ index ff006ea..beea868 100644
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -6042,7 +6971,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6989,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83682,7 +83687,7 @@ index ff006ea..beea868 100644
')
########################################
-@@ -6117,3 +7046,344 @@ interface(`files_unconfined',`
+@@ -6117,3 +7064,344 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -86336,7 +86341,7 @@ index 57c4a6a..d323c74 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..9282b84 100644
+index 1700ef2..b2bea9d 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -86348,7 +86353,37 @@ index 1700ef2..9282b84 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -205,6 +207,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -188,6 +190,29 @@ interface(`storage_raw_rw_fixed_disk',`
+ storage_raw_write_fixed_disk($1)
+ ')
+
++#######################################
++##
++## Allow the caller to read/write inherited fixed disk
++## device nodes.
++##
++##
++##
++## The domain allowed access.
++##
++##
++#
++interface(`storage_rw_inherited_fixed_disk_dev',`
++ gen_require(`
++ type fixed_disk_device_t;
++ attribute fixed_disk_raw_write;
++ attribute fixed_disk_raw_read;
++ ')
++
++ allow $1 fixed_disk_device_t:chr_file { read write };
++ typeattribute $1 fixed_disk_raw_write;
++ typeattribute $1 fixed_disk_raw_read;
++')
++
+ ########################################
+ ##
+ ## Allow the caller to create fixed disk device nodes.
+@@ -205,6 +230,7 @@ interface(`storage_create_fixed_disk_dev',`
allow $1 self:capability mknod;
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -86356,7 +86391,7 @@ index 1700ef2..9282b84 100644
dev_add_entry_generic_dirs($1)
')
-@@ -269,6 +272,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -269,6 +295,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
@@ -86405,7 +86440,7 @@ index 1700ef2..9282b84 100644
########################################
##
## Create block devices in on a tmpfs filesystem with the
-@@ -808,3 +853,369 @@ interface(`storage_unconfined',`
+@@ -808,3 +876,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -92467,10 +92502,10 @@ index 6480167..f9d3c63 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..745b9be 100644
+index 3136c6a..2a489c4 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,275 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -92674,7 +92709,6 @@ index 3136c6a..745b9be 100644
##
-##
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
--##
+##
+## Allow httpd to read user content
+##
@@ -92689,10 +92723,17 @@ index 3136c6a..745b9be 100644
+gen_tunable(httpd_run_stickshift, false)
+
+##
++##
++## Allow Apache to query NS records
+ ##
+ ##
++gen_tunable(httpd_verify_dns, false)
++
++##
+##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
- ##
++##
gen_tunable(httpd_ssi_exec, false)
##
@@ -92795,7 +92836,7 @@ index 3136c6a..745b9be 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +298,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +305,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -92804,7 +92845,7 @@ index 3136c6a..745b9be 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +309,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +316,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -92814,7 +92855,7 @@ index 3136c6a..745b9be 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +351,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +358,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -92837,7 +92878,7 @@ index 3136c6a..745b9be 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +375,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +382,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -92848,7 +92889,7 @@ index 3136c6a..745b9be 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +386,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +393,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -92856,7 +92897,7 @@ index 3136c6a..745b9be 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +408,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +415,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -92880,7 +92921,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache server local policy
-@@ -281,11 +444,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +451,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -92894,7 +92935,7 @@ index 3136c6a..745b9be 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +501,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -92906,7 +92947,7 @@ index 3136c6a..745b9be 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +513,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -92917,7 +92958,7 @@ index 3136c6a..745b9be 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +530,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -92927,7 +92968,7 @@ index 3136c6a..745b9be 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +543,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -92948,7 +92989,7 @@ index 3136c6a..745b9be 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +557,13 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +564,13 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -92965,7 +93006,7 @@ index 3136c6a..745b9be 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +571,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +578,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -92973,7 +93014,7 @@ index 3136c6a..745b9be 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +583,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +590,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -93077,7 +93118,7 @@ index 3136c6a..745b9be 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +688,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +695,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -93141,7 +93182,7 @@ index 3136c6a..745b9be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +752,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +759,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -93164,7 +93205,7 @@ index 3136c6a..745b9be 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +782,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +789,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -93185,7 +93226,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -513,7 +806,13 @@ optional_policy(`
+@@ -513,7 +813,13 @@ optional_policy(`
')
optional_policy(`
@@ -93200,7 +93241,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -528,7 +827,25 @@ optional_policy(`
+@@ -528,7 +834,25 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -93227,7 +93268,7 @@ index 3136c6a..745b9be 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,13 +854,24 @@ optional_policy(`
+@@ -537,13 +861,24 @@ optional_policy(`
')
optional_policy(`
@@ -93253,7 +93294,7 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -556,7 +884,21 @@ optional_policy(`
+@@ -556,7 +891,21 @@ optional_policy(`
')
optional_policy(`
@@ -93275,7 +93316,7 @@ index 3136c6a..745b9be 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +909,7 @@ optional_policy(`
+@@ -567,6 +916,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -93283,13 +93324,17 @@ index 3136c6a..745b9be 100644
')
optional_policy(`
-@@ -577,6 +920,51 @@ optional_policy(`
+@@ -577,6 +927,55 @@ optional_policy(`
')
optional_policy(`
+ pwauth_domtrans(httpd_t)
+')
+
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
@@ -93335,7 +93380,7 @@ index 3136c6a..745b9be 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +979,11 @@ optional_policy(`
+@@ -591,6 +990,11 @@ optional_policy(`
')
optional_policy(`
@@ -93347,7 +93392,7 @@ index 3136c6a..745b9be 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +996,12 @@ optional_policy(`
+@@ -603,6 +1007,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93360,7 +93405,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +1015,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +1026,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93373,7 +93418,7 @@ index 3136c6a..745b9be 100644
########################################
#
-@@ -654,28 +1057,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1068,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93417,7 +93462,7 @@ index 3136c6a..745b9be 100644
')
########################################
-@@ -685,6 +1090,8 @@ optional_policy(`
+@@ -685,6 +1101,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93426,7 +93471,7 @@ index 3136c6a..745b9be 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1106,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1117,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93452,7 +93497,7 @@ index 3136c6a..745b9be 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1152,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1163,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93485,7 +93530,7 @@ index 3136c6a..745b9be 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1199,25 @@ optional_policy(`
+@@ -769,6 +1210,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93511,7 +93556,7 @@ index 3136c6a..745b9be 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1238,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1249,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93529,7 +93574,7 @@ index 3136c6a..745b9be 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1257,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1268,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93586,7 +93631,7 @@ index 3136c6a..745b9be 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1308,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1319,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93627,7 +93672,7 @@ index 3136c6a..745b9be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1353,20 @@ optional_policy(`
+@@ -842,10 +1364,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93648,7 +93693,7 @@ index 3136c6a..745b9be 100644
')
########################################
-@@ -891,11 +1412,146 @@ optional_policy(`
+@@ -891,11 +1423,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -93666,7 +93711,7 @@ index 3136c6a..745b9be 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
@@ -93775,7 +93820,7 @@ index 3136c6a..745b9be 100644
+
+optional_policy(`
+ nscd_socket_use(httpd_script_type)
- ')
++')
+
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
+
@@ -94969,7 +95014,7 @@ index 59aa54f..b01072c 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..9b50c13 100644
+index 44a1e3d..bc50fd6 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -95002,7 +95047,15 @@ index 44a1e3d..9b50c13 100644
## Execute ndc in the ndc domain.
##
##
-@@ -186,7 +209,7 @@ interface(`bind_write_config',`
+@@ -167,6 +190,7 @@ interface(`bind_read_config',`
+ type named_conf_t;
+ ')
+
++ allow $1 named_conf_t:dir list_dir_perms;
+ read_files_pattern($1, named_conf_t, named_conf_t)
+ ')
+
+@@ -186,7 +210,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
@@ -95011,7 +95064,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -210,6 +233,25 @@ interface(`bind_manage_config_dirs',`
+@@ -210,6 +234,25 @@ interface(`bind_manage_config_dirs',`
########################################
##
@@ -95037,7 +95090,7 @@ index 44a1e3d..9b50c13 100644
## Search the BIND cache directory.
##
##
-@@ -266,7 +308,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -266,7 +309,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -95046,7 +95099,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -284,7 +326,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +327,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -95055,7 +95108,7 @@ index 44a1e3d..9b50c13 100644
')
########################################
-@@ -308,6 +350,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +351,27 @@ interface(`bind_read_zone',`
########################################
##
@@ -95083,7 +95136,7 @@ index 44a1e3d..9b50c13 100644
## Manage BIND zone files.
##
##
-@@ -359,18 +422,26 @@ interface(`bind_udp_chat_named',`
+@@ -359,18 +423,26 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -95116,7 +95169,7 @@ index 44a1e3d..9b50c13 100644
bind_run_ndc($1, $2)
init_labeled_script_domtrans($1, named_initrc_exec_t)
-@@ -391,9 +462,12 @@ interface(`bind_admin',`
+@@ -391,9 +463,12 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -104196,7 +104249,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..37c9ef1 100644
+index 1bff6ee..f8993c2 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -104267,7 +104320,12 @@ index 1bff6ee..37c9ef1 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +145,31 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -133,14 +142,36 @@ seutil_read_config(system_dbusd_t)
+ seutil_read_default_contexts(system_dbusd_t)
+ seutil_sigchld_newrole(system_dbusd_t)
+
++storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -104299,7 +104357,7 @@ index 1bff6ee..37c9ef1 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,162 @@ optional_policy(`
+@@ -151,12 +182,162 @@ optional_policy(`
')
optional_policy(`
@@ -104320,7 +104378,7 @@ index 1bff6ee..37c9ef1 100644
#
-# Unconfined access to this module
+# system_bus_type rules
- #
++#
+role system_r types system_bus_type;
+
+fs_search_all(system_bus_type)
@@ -104341,7 +104399,7 @@ index 1bff6ee..37c9ef1 100644
+optional_policy(`
+ abrt_stream_connect(system_bus_type)
+')
-
++
+optional_policy(`
+ rpm_script_dbus_chat(system_bus_type)
+')
@@ -104355,7 +104413,7 @@ index 1bff6ee..37c9ef1 100644
+')
+
+########################################
-+#
+ #
+# session_bus_type rules
+#
+dontaudit session_bus_type self:capability sys_resource;
@@ -104434,7 +104492,7 @@ index 1bff6ee..37c9ef1 100644
+userdom_manage_user_home_content_dirs(session_bus_type)
+userdom_manage_user_home_content_files(session_bus_type)
+userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+
+
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -119647,7 +119705,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..7c2d938 100644
+index 0619395..9a5791f 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -119747,7 +119805,7 @@ index 0619395..7c2d938 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +162,44 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +162,52 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -119784,6 +119842,14 @@ index 0619395..7c2d938 100644
+userdom_read_home_certs(NetworkManager_t)
userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(NetworkManager_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(NetworkManager_t)
++')
optional_policy(`
avahi_domtrans(NetworkManager_t)
@@ -119794,7 +119860,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -176,10 +219,17 @@ optional_policy(`
+@@ -176,10 +227,17 @@ optional_policy(`
')
optional_policy(`
@@ -119812,7 +119878,7 @@ index 0619395..7c2d938 100644
')
')
-@@ -191,6 +241,7 @@ optional_policy(`
+@@ -191,6 +249,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -119820,7 +119886,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -202,23 +253,45 @@ optional_policy(`
+@@ -202,23 +261,45 @@ optional_policy(`
')
optional_policy(`
@@ -119866,7 +119932,7 @@ index 0619395..7c2d938 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +307,10 @@ optional_policy(`
+@@ -234,6 +315,10 @@ optional_policy(`
')
optional_policy(`
@@ -119877,7 +119943,7 @@ index 0619395..7c2d938 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +318,7 @@ optional_policy(`
+@@ -241,6 +326,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -119885,7 +119951,7 @@ index 0619395..7c2d938 100644
')
optional_policy(`
-@@ -254,6 +332,10 @@ optional_policy(`
+@@ -254,6 +340,10 @@ optional_policy(`
')
optional_policy(`
@@ -119896,7 +119962,7 @@ index 0619395..7c2d938 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +345,7 @@ optional_policy(`
+@@ -263,6 +353,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -120117,7 +120183,7 @@ index abe3f7f..8ba3aef 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..9f3b09b 100644
+index 4876cae..702f372 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -120176,7 +120242,16 @@ index 4876cae..9f3b09b 100644
manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
-@@ -142,8 +139,8 @@ optional_policy(`
+@@ -108,6 +105,8 @@ domain_use_interactive_fds(ypbind_t)
+ files_read_etc_files(ypbind_t)
+ files_list_var(ypbind_t)
+
++init_search_pid_dirs(ypbind_t)
++
+ logging_send_syslog_msg(ypbind_t)
+
+ miscfiles_read_localization(ypbind_t)
+@@ -142,8 +141,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
@@ -120186,7 +120261,7 @@ index 4876cae..9f3b09b 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -156,6 +153,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -156,6 +155,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
@@ -120195,7 +120270,7 @@ index 4876cae..9f3b09b 100644
kernel_list_proc(yppasswdd_t)
kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
-@@ -186,6 +185,7 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -186,6 +187,7 @@ selinux_get_fs_mount(yppasswdd_t)
auth_manage_shadow(yppasswdd_t)
auth_relabel_shadow(yppasswdd_t)
@@ -120203,7 +120278,7 @@ index 4876cae..9f3b09b 100644
auth_etc_filetrans_shadow(yppasswdd_t)
corecmd_exec_bin(yppasswdd_t)
-@@ -211,6 +211,10 @@ optional_policy(`
+@@ -211,6 +213,10 @@ optional_policy(`
')
optional_policy(`
@@ -120214,7 +120289,7 @@ index 4876cae..9f3b09b 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +228,8 @@ optional_policy(`
+@@ -224,8 +230,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -120224,7 +120299,7 @@ index 4876cae..9f3b09b 100644
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -236,10 +240,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+@@ -236,10 +242,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
allow ypserv_t ypserv_conf_t:file read_file_perms;
@@ -122263,7 +122338,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
new file mode 100644
-index 0000000..fbadaba
+index 0000000..c9a5f74
--- /dev/null
+++ b/policy/modules/services/openshift.fc
@@ -0,0 +1,24 @@
@@ -122282,12 +122357,12 @@ index 0000000..fbadaba
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
+
-+/usr/bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
++/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
-+/usr/bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
-+/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/sbin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
++/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -133306,7 +133381,7 @@ index f5c47d6..482b584 100644
/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
-index a96249c..a345080 100644
+index a96249c..46c8335 100644
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -5,9 +5,9 @@
@@ -133340,7 +133415,32 @@ index a96249c..a345080 100644
')
########################################
-@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',`
+@@ -57,6 +56,24 @@ interface(`rpcbind_read_pid_files',`
+ allow $1 rpcbind_var_run_t:file read_file_perms;
+ ')
+
++#######################################
++##
++## Transition to rpcbind named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpcbind_filetrans_named_content',`
++ gen_require(`
++ type rpcbind_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
++')
++
+ ########################################
+ ##
+ ## Search rpcbind lib directories.
+@@ -117,6 +134,24 @@ interface(`rpcbind_manage_lib_files',`
########################################
##
@@ -133365,7 +133465,7 @@ index a96249c..a345080 100644
## All of the rules required to administrate
## an rpcbind environment
##
-@@ -138,11 +155,20 @@ interface(`rpcbind_admin',`
+@@ -138,11 +173,20 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -147713,7 +147813,7 @@ index 28ad538..9c82aad 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..3740647 100644
+index 73554ec..2088101 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -148003,18 +148103,17 @@ index 73554ec..3740647 100644
')
########################################
-@@ -637,6 +800,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +800,9 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+ files_var_filetrans($1, shadow_t, file, "shadow")
+ files_var_filetrans($1, shadow_t, file, "shadow-")
-+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
')
#######################################
-@@ -736,7 +903,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +902,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -148066,7 +148165,7 @@ index 73554ec..3740647 100644
')
#######################################
-@@ -932,9 +1142,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1141,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -148100,7 +148199,7 @@ index 73554ec..3740647 100644
')
########################################
-@@ -1013,6 +1244,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1243,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -148111,7 +148210,7 @@ index 73554ec..3740647 100644
')
########################################
-@@ -1130,6 +1365,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1364,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -148119,7 +148218,7 @@ index 73554ec..3740647 100644
')
#######################################
-@@ -1387,6 +1623,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1622,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -148145,7 +148244,7 @@ index 73554ec..3740647 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1537,37 +1792,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1791,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -148205,7 +148304,7 @@ index 73554ec..3740647 100644
##
##
##